Feds Back Projects to Bolster Online ID Verification

This week in security news: The federal government is issuing grants to fund projects that will enhance online privacy and identity verification; VirginMobile has taken steps to strengthen its password security following revelations that it was woefully weak and Microsoft rushed out a patch for a zero-day flaw that had been discovered a week before.

By John P. Mello Jr.
Sep 24, 2012 5:00 AM PT

When Paul Steiner published his 1993 cartoon in The New Yorker with the caption, "On the Internet, no one knows you're a dog," little did he know it would become a mantra among security professionals, especially those concerned about authenticating identities on the Net.

The job of finding ways to identify dogs in cyberspace has been assigned to the
National Strategy for Trusted Identities in Cyberspace, better known as NSTIC. And last week the agency announced the award of US$10 million for five pilot projects aimed at improving authentication, security and privacy on the Net in industries ranging to healthcare to education to online payments.

"Our strategy is for the private sector to work in partnership with the government to create an identity ecosystem," Jeremy Grant, the head of NSTIC's National Program Office, explained to TechNewsWorld. That ecosystem, he said, would be a marketplace of different solution providers where any citizen could choose from a variety of credential providers and obtain a strong credential for online activity.

Big Change

"This is quite a sea change because NSTIC will help in leading the way for a collaboration between commercial, government and citizen interest unlike ever before," Geoff Slagle, the
American Association of Motor Vehicle Administrators's director for Identification Standards, told TechNewsWorld.

The pilots will be attempting to bring NSTIC's paper strategies into the real world. "The pilots take the vision and principles in our strategy and translates them into solutions that will be in the marketplace," Grant observed.

Grants for the five pilot projects were awarded to:

The American Association of Motor Vehicle Administrators: $1,621,803 to lead a consortium to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce.

Criterion Systems $1,977,732 to allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience.

Daon, Inc.: $1,821,520 to demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem and will employ user-friendly identity solutions that leverage smart mobile devices to maximize consumer choice and usability.

Resilient Network Systems: $1,999,371 to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology.

Virgin Mobile Password Snafu

Password practices at Virgin Mobile's website were criticized last week for their lack of security.

Kevin Burke, a developer at API designer Twilio, publicly aired his concerns about the password practices at the site after a month of trying to wake up Virgin to its problems.

Account holders are forced to use a six-digit number for a password, he explained. There's only a million possible combinations for such a password, which would be child's play for a hacker to crack, he maintained.

Worse yet, Virgin did not have a limit on the number of consecutive unsuccessful tries that could be entered at the site, making it even easier to "brute force" an account's password. Once Burke made his concerns public and the media began spreading them across the Internet, Virgin added a failed-try limit to its site.

That limit scheme, though, is defective, according to Burke. "If you tried five wrong passwords in a browser, which sends the same cookies with every request, Virgin would lock you out and tell you to contact support," he explained to TechNewsWorld.

"However," he continued, "you could get around this by clearing your cookies or not sending cookies in the first place."

"In essence, Virgin was asking me to tell them how many times I'd failed to log in in the past," he added. "Without cookies, you could try as many wrong passwords as you wanted until you guessed the right one."

Microsoft Pushes IE Patch

Following recommendations by a chorus of security experts that users stop using its Internet Explorer web browser because of a Zero Day vulnerability discovered in the software last week, Microsoft pushed out a patch last Friday to address the problem.

In addition to the public vulnerability, the patch also addressed four flaws privately reported to it, the company explained in a security bulletin.

"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," the bulletin noted. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user."

While vulnerabilities in Internet Explorer used to be common, in recent times Microsoft has done a good job of tightening up the software's security. For example, it has been two years since a Zero Day vulnerability has been discovered in the browser, according to Tony Bradley, writing for PCWorld.

Breach Diary

Sept. 17: Hacker group calling itself NullCrew
posts to the Internet some 4,000 names and a handful of passwords they claim were stolen from the University of Cambridge Press. The university denies any breach took place.

Sept. 17: Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates
agrees to pay $1.5 million to U.S. Department of Health and Human Services for violating information security rules of agency.

Sept. 18: U.S. Court of Appeals allows case to proceed against AvMed Health Plans, of Florida, for
2009 data breach resulting from theft of two laptops from one of the company's facilities. Personal information for some 1.22 million people may have been compromised by the breach.

Sept. 18: Kentucky-based Cabinet for Health and Family Services
notifies some 2,500 clients that a phishing attack on an email account on its system could have compromised their personal identifying information. Officials of the provider said they were "pretty confident" the information hadn't been accessed by the intruders, but were required by state law to send out the notification.

Oct. 1: Launch of "S&TI Flash Traffic," a monthly summary of R&D activities for 14 high risk nation states -- states with high levels of hacker activity or acts of cyber espionage -- published by
Taia Global. Annual subscription $250 until October 1, $500 thereafter.